Your message dated Thu, 05 Dec 2019 06:31:00 +0000
with message-id <e1ickfe-000ceq...@fasolo.debian.org>
and subject line Bug#945793: Removed package(s) from unstable
has caused the Debian Bug report #930858,
regarding gif2png: "not expected to be able to deal with arbitrarily broken
input"
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
930858: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930858
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gif2png
Version: 2.5.8-1+b2
Severity: grave
Tags: security
Justification: user security hole
I happened to notice the entry for 2.5.14 (which I realise is newer than
the one in Debian) on http://www.catb.org/~esr/gif2png/NEWS:
"Redirect segfault to a graceful exit. Tired of meaningless fuzzer
bugs."
This is from https://gitlab.com/esr/gif2png/issues/5, where the upstream
maintainer says:
"Crash confirmed. Buthis program is not expected to be able to deal
with arbitrarily broken input. All I'm going to do about it is add a
SIGSEGV handler."
I understand that security vulnerabilities happen and that normally they
are patched and life goes on. But this is a different case: here we
have an upstream maintainer explicitly saying that an image-processing
program is not suitable for use on arbitrary input, and explicitly
adding code to defeat fuzzers that might otherwise help to find bugs in
it. I'm honestly flabbergasted by this approach to what must surely be
undefined behaviour in C code.
I suppose that one might still safely use gif2png to convert one's own
website if all it had to deal with was trusted images. However, this is
an undocumented limitation, and it's quite easy to believe that
unsuspecting people might try to use gif2png as part of a larger system
where the input files cannot be trusted, such as an image-upload widget
on a website.
At the very least, the limitation that this program cannot safely be
used with untrusted input needs to be prominently documented (I'd
suggest the package description and the manual page). web2png would be
harder to replace this way, but at least people wanting to make
straightforward use of gif2png should perhaps be advised to use some
other image processing system instead whose maintainers have a more
reasonable approach to reports of undefined behaviour in their programs.
-- System Information:
Debian Release: 10.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gif2png depends on:
ii libc6 2.28-10
ii libpng16-16 1.6.36-6
Versions of packages gif2png recommends:
ii python 2.7.16-1
gif2png suggests no packages.
-- no debconf information
Thanks,
--
Colin Watson [cjwat...@debian.org]
--- End Message ---
--- Begin Message ---
Version: 2.5.8-1+rm
Dear submitter,
as the package gif2png has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/945793
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
--- End Message ---
